Cyber resilience integrated security inspection system (crisis) against false data injection attacks

ABSTRACT

A method for detecting false data injection attacks (FDIAs) on a condition-based predictive maintenance (CBPM) system includes: collecting sensor data from sensors monitoring components of a system maintained by the CBPM system to extract features for a cyberattack detection model and gathering historical data of the system to build a cyberattack knowledge base about the system; combining the sensor data and the historical data to train the cyberattack detection model; using a graphical Bayesian network model to capture domain knowledge and condition-symptom relationships between the sensor-monitored components and the sensors; and based on the cyberattack detection model and the Bayesian network model, detecting the FDIAs on the CBPM system.

GOVERNMENT RIGHTS

The present disclosure was made with Government support under ContractNo. N68335-20-C-0792, awarded by Naval Sea Systems Command (NAVSEA). TheU.S. Government has certain rights in the present disclosure.

FIELD OF THE DISCLOSURE

The present disclosure generally relates to the field of data securityand, more particularly, relates to a method and a system for cyberresilience integrated security inspection against false data injectionattacks.

BACKGROUND

Modern US Navy ships and submarines are configured with anever-increasing level of automation, including state-of-the-art embeddedwireless sensors that monitor vital system functions. One potential useof this network of sensors is Condition-based Predictive Maintenance(CBPM), the prediction of faults in a component or system powered byadvanced machine learning (ML) algorithms to reduce vessel downtime andincrease readiness. However, this network of sensor nodes is vulnerableto cybersecurity attacks and susceptible to corruption throughaccidental or malicious events. To address these shortfalls and minimizevulnerabilities of CBPM systems, the present disclosure provides adefense system that includes both data-driven and model-based techniquesto build an extensible cybersecurity layer for CBPM applications toprovide enhanced cyber resiliency. The defense system is also called acyber resilience integrated security inspection system (CRISIS) againstfalse data injection attacks.

Specifically, a deep learning algorithm based on long short-term memory(LSTM) and gated recurrent unit (GRU) is used to detect abnormalfeatures of generalized false data injection attacks (FDIAs) on wirelesssensors of a turbofan engine simulated by NASA's C-MAPSS simulator. Thedynamic nature of the turbofan engine is represented by a graphicalphysics-informed Bayesian Network model and is used to predict healthconditions accordingly. The model characterizes the condition-symptomrelationships of different engine components and sensors. The presentdisclosure also provides a hybrid software-in-the-loop andhardware-in-the-loop system to evaluate the effectiveness of defensemechanisms of the CRISIS system.

BRIEF SUMMARY OF THE DISCLOSURE

One aspect or embodiment of the present disclosure includes a method fordetecting false data injection attacks (FDIAs) on a condition-basedpredictive maintenance (CBPM) system. The method includes: collectingsensor data from sensors monitoring components of a system maintained bythe CBPM system to extract features for a cyberattack detection modeland gathering historical data of the system to build a cyberattackknowledge base about the system; combining the sensor data and thehistorical data to train the cyberattack detection model; using agraphical Bayesian network model to capture domain knowledge andcondition-symptom relationships between the sensor-monitored componentsand the sensors; and based on the cyberattack detection model and theBayesian network model, detecting the FDIAs on the CBPM system.

Another aspect or embodiment of the present disclosure includes acyberattack detection system. The cyberattack detection system includessensors monitoring components of a system maintained by acondition-based predictive maintenance (CBPM) system; a memory storingcomputer programs; and a processor configured to execute the computerprograms to: collect sensor data from the sensors to extract featuresfor a cyberattack detection model and gather historical data of thesystem to build a cyberattack knowledge base about the system; combinethe sensor data and the historical data to train the cyberattackdetection model; use a graphical Bayesian network model to capturedomain knowledge and condition-symptom relationships between thesensor-monitored components and the sensors; and based on thecyberattack detection model and the Bayesian network model, detect falsedata injection attacks (FDIAs) on the CBPM system.

Another aspect or embodiment of the present disclosure includes acomputer-readable storage medium storing a computer program fordetecting false data injection attacks (FDIAs) on a condition-basedpredictive maintenance (CBPM) system. The computer program performs:collecting sensor data from sensors monitoring components of a systemmaintained by the CBPM system to extract features for a cyberattackdetection model and gathering historical data of the system to build acyberattack knowledge base about the system; combining the sensor dataand the historical data to train the cyberattack detection model; usinga graphical Bayesian network model to capture domain knowledge andcondition-symptom relationships between the sensor-monitored componentsand the sensors; and based on the cyberattack detection model and theBayesian network model, detecting the FDIAs on the CBPM system.

Other aspects or embodiments of the present disclosure can be understoodby those skilled in the art in light of the description, the claims, andthe drawings of the present disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

The following drawings are merely examples for illustrative purposesaccording to various disclosed embodiments and are not intended to limitthe scope of the present disclosure.

FIG. 1 depicts a schematic diagram illustrating an operational conceptof a cyber resilience integrated security inspection system (CRISIS)according to various disclosed embodiments of the present disclosure;

FIG. 2 depicts a flowchart illustrating a method for detecting falsedata injection attacks (FDIAs) on a condition-based predictivemaintenance (CBPM) system according to various disclosed embodiments ofthe present disclosure;

FIGS. 3A-3D depict schematic diagrams illustrating exemplary attacksaccording to various disclosed embodiments of the present disclosure;

FIGS. 4A-4D depict schematic diagrams illustrating exemplary attacksaccording to various disclosed embodiments of the present disclosure;

FIG. 5 is a confusion matrix of the LSTM model on an exemplary datasetaccording to various disclosed embodiments of the present disclosure;

FIG. 6A is a test confusion matrix of the LSTM model on detectinggeneralized FDIAs according to various disclosed embodiments of thepresent disclosure;

FIG. 6B is a test confusion matrix of the GRU model on detectinggeneralized FDIAs according to various disclosed embodiments of thepresent disclosure;

FIG. 7 is a confusion matrix of the GRU model on detecting generalizedFDIAs for an individual sensor according to various disclosedembodiments of the present disclosure;

FIG. 8 is a confusion matrix of the GRU model on detecting generalizedFDIAs for all sensors according to various disclosed embodiments of thepresent disclosure;

FIG. 9 depicts a schematic diagram illustrating accuracy versus attackintensity according to various disclosed embodiments of the presentdisclosure;

FIG. 10 depicts a schematic diagram illustrating an exemplary graphicalBayesian network model for a turbofan engine according to variousdisclosed embodiments of the present disclosure;

FIG. 11 depicts a schematic diagram illustrating an exemplary graphicalBayesian network model for a gas turbine engine in a normal operationstate according to various disclosed embodiments of the presentdisclosure;

FIG. 12 depicts a schematic diagram illustrating an exemplary graphicalBayesian network model for a gas turbine engine in a cyberattack stateaccording to various disclosed embodiments of the present disclosure;

FIG. 13 depicts a structural diagram illustrating a cyber resilienceintegrated security inspection system (CRISIS) against the FDIAsaccording to various disclosed embodiments of the present disclosure;

FIG. 14 depicts a schematic diagram illustrating a hardware-in-the-loopworkflow according to various disclosed embodiments of the presentdisclosure;

FIG. 15 depicts a schematic diagram illustrating a graphical userinterface (GUI) of the CRISIS according to various disclosed embodimentsof the present disclosure; and

FIG. 16 depicts a structural block diagram illustrating a cyberattackdetection system according to various disclosed embodiments of thepresent disclosure.

DETAILED DESCRIPTION

Reference will now be made in detail to exemplary embodiments of thedisclosure, which are illustrated in the accompanying drawings. Whereverpossible, the same reference numbers will be used throughout thedrawings to refer to the same or like parts. In the followingdescription, reference is made to the accompanying drawings that form apart thereof, and in which is shown by way of illustration specificexemplary embodiments in which the disclosure may be practiced.

These embodiments are described in sufficient detail to enable thoseskilled in the art to practice the disclosure and it is to be understoodthat other embodiments may be utilized and that changes may be madewithout departing from the scope of the disclosure. The followingdescription is, therefore, merely exemplary.

Modern US Navy ships and submarines are configured with anever-increasing level of automation, including state-of-the-art embeddedwireless sensors that monitor vital system functions, such as, bridgesystems, cargo handling and management systems, propulsion and machinerymanagement and power control systems, access control systems, andnavigation systems including Automatic Identification System (AIS),Global Positioning System (GPS), and Electronic Chart DisplayInformation System (ECDIS). At the same time, cyber-attacks areincreasing in frequency, impact, and complexity, with the potential formalicious acts or catastrophic damage to ship or submarine systems. Forexample, Vice Admiral William Hilarides, NAVSEA Commander wrote “Thereare little noticed cyber vulnerabilities on nuclear attack submarineslike the Virginia-class boats that are slowly becoming the mainstay ofthe Navy's undersea fleet.” In another example, a Department of Defenserecent report argues that hacktivists, supported by some state-fundedactors, can deploy malware when ships and submarines are in port and canbecome activated at sea to yield devastating results such asneutralizing operations, loss of life, defeat, or perhaps evencatastrophic exchange of nuclear warheads.

Sensors including microcomputers are integrated into many ship andsubmarine machinery control systems, such as the main engine controlcircuitry. The sensors are potential targets for cyber-attacks and aresusceptible to corruption through accidental events. In some cases,sensor data may be transmitted via unclassified networks to maintenancecrews ashore. This makes the sensor network a point of vulnerability. Inaddition, malicious actors may access a submarine's information systemsvia computer terminals, network ports, or other computer equipment,causing substantial damages. The malicious actors may accomplish theirobjective using a variety of attack techniques, such as weather forecastspoofing, low-rate distributed denial-of-service (DDoS), and phishing.

The AIS is considered to be a soft target for cyber-attack because itdoes not have a built-in mechanism to encrypt or authenticate signals.For example, a closest point of approach (CPA) spoofing attack mayinvolve faking a possible collision with a target. The spoofing attackwill trigger a CPA alert, which could lead the ship off course to runaground or collide with a nearby ship. As another example, the spoofingattack may involve generating false distress beacons. Attackers (e.g.,pirates) may rigger AIS search and rescue transponder (SART) alerts tolure victims into navigating to hostile and attacker-controlled areas.Many stealthy attacks, such as false data injection attacks (FDIAs), aredifficult to detect on a condition-based predictive maintenance (CBPM)system, and may stealthily compromise measurements from sensors, bypasssensor's basic “faulty data” detection mechanism, and remain undetected.The FDIAs may be injected by compromised physical sensors, at sensorcommunication networks, and/or through data processing programs. Suchattacks on the CBPM system may not even present their impact but maypropagate from the sensors to the detection system to fool the CBPMsystem by predicting a delayed asset failure or maintenance intervalinstead. As a result, a significant cost may incur due to unplannedfailure or loss of human lives in safety critical applications.

The present disclosure provides a cyber resilience integrated securityinspection system (CRISIS) to improve the cyber-resiliency of the CBPMsystem. The CRISIS augments current onboard condition monitoring andmaintenance processes to enhance fleet performance and readiness throughimproved equipment availability, reliability, security, and lifecycleoperation and maintenance costs. The CRISIS communicates status to amonitoring system, provides options for solutions, and presents rightalarms and information in a manner complementary to machine intelligencethat does not overload human operators.

The state-of-the-art CBPM method applies analytics to detect anomaliesand schedules maintenance only when needed. However, many CBPMapplications are constrained by computing and power restrictions whendeployed on wireless hardware. In these cases, the cybersecurity layermay be implemented effectively while minimizing the impact on powerconsumption and an overall lifespan of embedded sensors. While majoradvances in machine learning (ML) and augmented intelligence (AI) may beadopted to develop efficient algorithms to minimize vulnerabilities andimprove cyber resiliency of internet-connected systems, stable versionsof deep learning (DL) based techniques are still required for the CBPMsystem due to its complexity and criticality.

In the embodiments of the present disclosure, the CRISS includes bothdata-driven and model-based techniques to build a flexible andextensible cybersecurity layer incorporated into the CBPM system. FIG. 1depicts a schematic diagram illustrating an operational concept of acyber resilience integrated security inspection system (CRISIS)according to various disclosed embodiments of the present disclosure. Asshown in FIG. 1 , the CRISIS includes four layers: an input layer, aknowledge layer, a reasoning layer, and a graphic user interface (GUI)layer. The input layer collects and processes dynamic knowledge, such ason-board sensor data (e.g., from an accelerometer, a strain gauge, athermometer, etc.), to extract features for a cyber resilience model.The input layer also gathers historical data from a variety of sources(e.g., system operator logs, sensory readings, hardware/software usage,etc.) using natural language processing to convert unstructured textdata into concepts and relations that can be encoded in a cybersecurityknowledge base. The sensory data may be obtained using a commercialmodular aero-propulsion system simulation (C-MAPSS) emulator.

The knowledge layer combines datasets from the input layer to developcomprehensive cyber resilience models based on machine learning (ML)techniques. Continuous and intermittent FDIAs are modeled in ageneralized way and their impacts on the CBPM system are examined.Data-driven ML based models, such as long short-term memory (LSTM) andgated recurrent unit (GRU), are trained and detection performance of themodels are evaluated.

The reasoning layer includes a graphical physics-informed Bayesiannetwork model to represent the dynamic nature of the system maintainedby the CBPM system. The model characterizes the condition-symptomrelationships of different components and sensors and effectivelyreveals anomaly patterns such as the FDIAs with the corresponding sensorreadings and trends.

The GUI layer integrates both software-in-the-loop (SITL) andhardware-in-the-loop (HITL) architectures to provide maintenanceoperators with a user-friendly interaction experience. The CRISISsupports the maintenance operators in combining data seamlessly,identifying potential attacks rapidly, and recommending detection andmitigation actions timely.

Generally, predictive maintenance (PdM) systems are often deployed intwo major application scenarios: manufacturing pipeline, and mechanicaland electrical industrial products. For example, a modern automotivepipeline includes a substantial amount of automatic apparatus. Failureof any one of the automatic apparatus may cause huge losses. An enginehealth monitoring system is another example of the PdM application inthe industrial product. In both application scenarios, functionality ofthe entire system depends on the substantial amount of individualcomponents, and the PdM systems allow timely and corrective maintenancefor the individual components. For example, replacement parts may beordered in advance to avoid hazardous failure of the entire system.

The engine health monitoring system utilizes wireless sensors to collectrunning status of a ship engine which is an extremely complex system andrequires timely maintenance. Readings of the wireless sensors areindicators of the health of the ship engine and are transmitted over awireless network to a central engine controller, where a remaininguseful life (RUL) of the ship engine is predicted by prediction modelsto guide an engine manufacturer to maintain the ship engine as the RULapproaches an end of life. Various models, such as fuzzy models, bigdata frameworks, and deep learning-based models, have been used toaccurately implement the PdM systems.

The FDIAs were discovered originally in smart grid industry. An FDIAattacker often compromises sensor readings in such a tricky way thatundetected errors are induced into the calculation of state variablesand values. The widespread adoption of Internet of Everything (IoE) orInternet of Things (IoT) makes cybersecurity a necessity rather than anaccessory. The attacks become more and more sophisticated.

The FDIAs often cause a huge impact on the PdM systems. False datainjection in an IoT network may mislead the deep learning-based PdMsystems to make a false prediction. The FDIAs are able to successfullyfool the LSTM and GRU networks to incorrectly predict the RUL values inthe C-MAPSS dataset. Thus, the FDIAs may substantially impact all PdMdeep learning models including convolutional neural networks (CNNs),LSTM networks, and GRU networks.

The FDIAs compromise a PdM system by changing predictions made by amachine learning model. For example, the predicted RUL may be changed tobe longer or shorter than its true value, thereby causing losses.However, it is difficult to detect or prevent the FDIAs on the machinelearning models in real-life PdM systems. In the present disclosure,recurrent neural networks (RNNs) are used to detect the FDIAs in C-MAPPSdataset.

RNN includes an artificial neural network (ANN) architecture with loops.RNNs are often used for processing sequential signals by introducing amemory mechanism. For example, dependency information in the sequencesmay be explored and representations of the sequences that distinguishthe sequences without manually designing features are learned. An RNNcell includes a signal of a current step as one input and a hidden stategenerated by the same RNN cell in a preceding step as another input. TheRNN cell conveys historical information of a sequence by merging acurrent input into a hidden state and passes a merged result to an RNNcell of a succeeding step.

LSTM and GRU networks are two types of RNNs that are dedicated toovercome blow-up or vanishing gradient problems in training standardRNNs. In addition to the hidden state in an ordinary RNN cell, the LSTMnetwork introduces a cell state that acts like a “highway” of thegradient by avoiding interaction of nonlinearities with backpropagation.Moreover, the LSTM network employs multiple gates with nonlinearities toincrease an expressive power of the LSTM network. The GRU networksimplifies computation and architecture of the LSTM network but sharessimilar ideas. In the present disclosure, the LSTM and GRU networks areused to detect the FDIAs in the PdM systems.

The present disclosure provides a method for detecting the FDIAs on theCBPM system. The CBPM system maintains the system, such as a navy shipor submarine. The method protects the CBPM system from the cyberattackssuch as the FDIAs. The FDIAs include continuous and intermittent FDIAs.FIG. 2 depicts a flowchart illustrating a method for detecting the FDIAson the CBPM system according to various disclosed embodiments of thepresent disclosure. As shown in FIG. 2 , the method includes thefollowing processes.

At S210, sensor data is collected from sensors monitoring components ofa system maintained by the CBPM system to extract features for acyberattack detection model, and historical data of the system isgathered to build a cyberattack knowledge base about the system.

In this case, the cyberattack detection model is configured to detectthe FDIAs on the CBPM. The cyberattack detection model can be expandedto detect other intrusions and attacks when additional aspects and dataof the system maintained by the CBPM system are incorporated.

In some embodiments, the sensor data is the on-board sensor dataobtained from the sensors that monitor components of the system. Thecomponents of the system include a compressor and a turbine engine. Thesensor data includes readings of one or more of an accelerometer, astrain gauge, a thermometer, etc. The historical data is unstructuredtext data including one or more of a system operator log, hardwareinformation, and software information. After the historical data isgathered, natural language processing is performed on the historicaldata to convert the unstructured text data into concepts andrelationships. A cyberattack knowledge base about the system can bebuilt based on the concepts and the relationships.

At S220, the sensor data and the historical data are combined to trainthe cyberattack detection model.

In some embodiments, the sensor data and the historical data arecombined to train the cyberattack detection model based on the MLtechniques. The cyberattack detection model includes the LSTM mode andthe GRU model. The trained cyberattack detection model can be used toprocess the sensor data in real-time to detect the FDIAs.

In some embodiments, each sensor corresponds to a separate cyberattackdetection model. The sensor data obtained from each sensor is used totrain the corresponding cyberattack detection model. The separatelytrained cyberattack detection model can be used to process the sensordata obtained from each sensor in real-time to detect which sensor isattacked by the FDIAs.

At S230, a graphical Bayesian network model is used to capture domainknowledge and condition-symptom relationships between thesensor-monitored components and the sensors.

In some embodiments, the graphical Bayesian network model includes aplurality of nodes connected by a plurality of links to represent thephysical structure of the system. The domain knowledge includestechnical manuals and mathematical engine models that describe thecomponents of the system, how the components are connected, whichcharacteristics of the system are measured by the sensor, and how thesystem works. The domain knowledge provides a topological structure forthe graphical Bayesian network model. The condition-symptomrelationships determine weights of the plurality of links between theplurality of nodes of the graphical Bayesian network model. Thus, thegraphical Bayesian network model represents the dynamic nature of thesystem maintained by the CBPM system and is able to reveal the anomalypatterns such as the FDIAs.

At S240, the FDIAs on the CBPM system are detected based on thecyberattack detection model and the graphical Bayesian network model.

In some embodiments, both the cyberattack detection model and thegraphical Bayesian network model are used to process the sensor data inreal-time to detect the FDIAs on the CBPM system. The data-driven andphysics-informed approach of combining the cyberattack detection modeland the graphical Bayesian network model makes the detection of theFDIAs on the CBPM system more accurate and more efficient.

Further, the method for detecting the FDIAs on the CBPM system may beintegrated with the CBPM system to display each sensor being attacked bythe FDIAs, detect the GNSS and AIS spoofing, detect the channel accessattacks on the CBPM system, and predict the effect of the FDIAs on theRUL of the system and make maintenance recommendation.

The FDIA attacks include four types: interim-random, interim-biased,continuous-random, and continuous-biased. The “interim” and “continuous”indicate duration of the FDIA attacks. The interim attacks last about 20time cycles. The continuous attacks start at d time cycle and continueto the end-of-life of the engine. The biased attacks add a constantamount of shift to the sensor output. The random attacks add a noisehaving a small range to the sensor output.

FIGS. 3A-3D depict schematic diagrams illustrating exemplary attacksaccording to various disclosed embodiments of the present disclosure.Samples satisfying the following assumptions are selected from anexemplary C-MAPSS dataset. The assumptions include the following. Theattacks are applied to three specific sensors out of 21 sensors. Theattacks are all initiated at the 130^(th) time cycle. The duration ofthe interim attack lasts 20 time cycles. The shift of the biased attacksis always negative. The range of the noise that random attacks injecthas a range of approximately 0.01%-0.05%. As such, 37 samples areselected from the dataset.

In some embodiments, an RNN model is used to detect the FDIAs in thesame dataset described above. The 37 attack samples are distributed in707 normal samples in the dataset. 683 normal and attack samples (i.e.,80%) are used as a training dataset and 172 normal and attack samples(i.e., 20%) are used as a test dataset.

Two different RNN models, that is, the LSTM model and the GRU model, areincluded in Table 1 below. In this case, all sensor readings are used.The number of training epochs is 60. The initial learning rate is1×10⁻³. The optimizer is a stochastic optimizer.

TABLE 1 LSTM Loss Cross-entropy Linear Linear (in_features = 64 (or 16),out_features = 2, bias = True) RNN LSTM (in_features = 21 (or 1),out_features = 64 (or 16), cell num_layers = 2, dropout = 0.5) GRU LossCross-entropy Linear Linear (in_features = 64 (or 16), out_features = 2,bias = True) RNN GRU (in_features = 21 (or 1), out_features = 64 (or16), cell num_layers = 2, dropout = 0.5)

In Table 1, the input dimensionality of the RNN cells can be 21 or 1depending on inputting all 21 sensor readings or one sensor reading indifferent scenarios. Similarly, the output dimensionality of the RNNcells and the input of the linear layer depends on the scenarios. Theconfusion matrix of the LSTM model for the dataset is shown in FIG. 5 .The test accuracy of the GRU model is 100%. Both the LSTM model and theGRU model achieve high test accuracy. In this case, the attacks arestrong and easy to be detected.

In some embodiments. More generalized FDIAs are used in testing. Theassumptions for more generalized FDIAs include the following. Theattacker observes the sensor readings for a certain amount of time, forexample, at least 20% of a length of the sequence. Two sensors arerandomly selected as attack targets. Sensors that have constant readingsduring the observation are excluded. The attacks are initiated at arandom time cycle after the observation. The duration of the interimattacks is randomly selected in the range of 10%-40% cycles out of thetotal length of the sequence. The shift of the boas added to the attackscan be negative or positive with 50% probability, respectively. In therandom attacks, the standard deviation of the injected noise is the sameas during the observation. In the biased attacks, the shift of the biasadded to the attacks is in the range of 0.01%-0.05% of the mean valueduring the observation. Table 2 below shows a comparison of theassumptions.

TABLE 2 New Assumptions The Assumptions in [8] The attacked sensors arerandomly selected (sensors with constant reading Attacked sensors arefixed. are not attacked) The attacker observes in the first 20% of thetime cycles. The attacks are The attacks always start at the 130-th timecycle. initialized randomly in the remaining sequence. The duration ofthe interim attacks is random selected in the range of 10%- The durationof the attack is fixed in the interim mode (80 cycles). 40% cycles outof the total length. The shift bias is either positive or negative with50% probability. The shift of bias is always negative. In the randomattacks, the standard deviation of the injected noise is the The base ofthe shifted percentage for the biased attacks is not specified. same asthe observations. In the biased attacks, the shifted bias is 0.01%-0.05%of the observations.

FIGS. 4A-4D depict schematic diagrams illustrating exemplary attacksaccording to various disclosed embodiments of the present disclosure.The attacks are more general. Stealthiest attack scenarios and worstcases are considered. Without constraints on the duration of theattacks, each sequence may be attacked regardless of its length. Thetraining dataset including 709 engine IDs of the C-MAPSS is used togenerate 2,836 attacked sensor output sequences for four FDIA scenarioswith the generalized assumptions. Similarly, the test dataset includes707 engine IDs with normal sequences and 2,828 attacked sequences.

The training dataset is used to train both the LSTM model and the GRUmodel. The test results are shown in FIG. 6 . The accuracies for theLSTM model and the GRU model are 96.04% and 96.26%, respectively. Thesensitivities for the LSTM model and the GRU model are 97.84% and99.40%, respectively. The specificities for the LSTM model and the GRUmodel are 88.82% and 83.87%, respectively. In this case, all 21 sensoroutputs are used as inputs for the two models, that is, in_feature=21,out_feature=64, and the linear layer in_feature=64. As shown in FIG. 6 ,the detection accuracy decreases because the attacks are moregeneralized.

The LSTM model and the GRU model are able to detect generalized attacks.The next step is to detect the attacked sensors. The complexity of theoutput space for detecting which sensors are attacked is C₂₁ ^(m), wherem is the number of the attacked sensors, and C denotes the combinationnumber.

In some embodiments, the classification problem can be converted into aregression problem. For example, the attacked sensor outputs are labeledas “1”s and the normal sensor outputs are labeled as “0”s. Theprediction of a classification model is a 21-dimensional binary vectorthat indicates the sensors are attacked or not. It is attempted to usethe LSTM model and the GRU model to approximate this distribution.Because the output space is too complicated, it is unsuccessful evenwhen m=2.

To simplify the complexity of the output space, the sensors areindividually separated. One model is trained for each sensor output todetermine whether the sensor is attacked. It is assumed that the sensorshaving the constant outputs are not attacked and are excluded. Thus, 14models are trained for the remaining sensors. In aone-model-for-each-sensor approach, the LSTM model fails to converge inthe training of detecting the FDIAs only for three sensors. The trainingresult of the GRU model is shown in FIG. 7 . In this case, one modelaccepts one sensor output at each time cycle, that is, in_feature=1,out_feature=16, and the linear layer in_feature=16. The averagesensitivity is 94.57%, and the average specificity is 81.20%.

The major difference between training on all sensor outputs together andtraining single sensor output individually is that the dependencyinformation between the sensor outputs is unavailable if they areseparated. In this case, the accuracy for detecting the FDIAs decreasesfurther. Thus, the dependency of the sensor outputs plays an importantrole in detecting the FDIAs. Although training one model for each sensoroutput makes detecting which sensor is attacked feasible, missing thedependency information between the sensor outputs decreases thedetection accuracy.

Training one model for each sensor requires testing the sequence byusing multiple models (e.g., 14 models in C-MAPSS dataset) every time anew sensor reading arrives. This is computationally expensive. As thedata normalization is a routine procedure before the data is fed to themodels, a dynamic range of the sensor outputs does not matter. It isreasonable to consider all the sensor outputs obey one complexdistribution. Thus, one model is used to learn the distribution. In thiscase, a GRU model is trained to distinguish the attacked sequences foreach senor output. The training procedure remains the same as previouslydescribed. But all sensor outputs are combined into one dataset and onlyone model is used to learn on the dataset.

In some embodiments, the training dataset includes 49,630 (i.e.,709×14×5) samples, and the test dataset includes 49,490 (i.e., 707×14×5)samples. The confusion matrix for detecting the FDIAs by training oneGRU model for all sensor outputs is shown in FIG. 8 . The overallclassification accuracy is 94.54%. The sensitivity is 98.72%. Thespecificity is 77.79%. Because the sensor outputs are separated, thedependency information between the sensors is not available to thelearning model. In this case, the specificity is not as high as in FIG.6 .

In addition to finding out which sensor is attacked, quickly detectingan FDIA is another objective. The continuous-biased attacks shown inFIG. 4 are used to evaluate the performance of the RNN model. The attackis defined in the equation below:

$S_{i}^{a} = \{ {\begin{matrix}S_{i}^{n} & {i < d} \\{S_{i}^{n} + N_{i} + c} & {d \leq i \leq n}\end{matrix},} $

where S_(i) ^(n) and S_(i) ^(a) denote a value of ith cycle in a normaland attacked sensor output, respectively (1≤i≤n), N_(i)˜

(0,σ) is a white noise with zero mean and standard deviation that isdescribed in Table 2, c is a shift bias, and d is the time cycle whenthe attack is initiated. For simplicity, let d=└0.2n┘.

Among these parameters, c represents an intensity of the attack. Forexample, c is zero for stealth attacks. To examine an impact of c to howsoon the FDIA can be detected, c is set to 0, m_(obs)×0.01%,m_(obs)×0.03%, or m_(obs)×0.05%, where

${m_{obs} = {\frac{1}{d}{\Sigma}_{1}^{d}S_{i}^{n}}},$

which is an average of the observations before the attack is initiated.The GRU model trained for detecting the generalized FDIAs is used toexamine how soon the FDIAs with different intensities (c) are detected.The results are shown in FIG. 9 . As shown in FIG. 9 , nearly 70% of theattacks can be detected in the first three cycles even in thestealthiest scenario. As the attack intensity increases, the attack canbe detected sooner. About 85% of the attacks can be detected in six toeight cycles in the cases that have stronger attacks. However, the plotof c=m_(obs)×0.03% overlaps the plot of c=m_(obs)×0.05%, indicating thatthe accuracy no longer increases after the attack intensity reaches acertain level (e.g., c=m_(obs)×0.03%).

In some embodiments, the graphical Bayesian network model is used torepresent the dynamic nature of the CBPM system and predict potentialcyberattacks. The graphical Bayesian network model encodes the domainknowledge and the condition-symptom relationships of different plantcomponents and sensors, serves as a baseline physics-informed model forreference and comparison, and also serves as a model to analyzesimulated data obtained from data acquisition (DAQ) for any portion ofthe system by generating sampling data from the roots of the graphicalBayesian network model. The sampling data can then be used for testingor constructing a probabilistic knowledge graph model.

The static knowledge from the technical manuals and the mathematicalengine models describe the components of the system, how the componentsare connected, which characteristics of the system are measured anddisplayed, and how the overall system works. These relationships aremore deterministic in nature and provide the topological structure ofthe graphical Bayesian network model and the condition-symptomrelationships. The dynamic and noisy information regarding thecondition-symptom relationships that are non-deterministic isrepresented by weight or probability of occurrence and is encoded in thelinks between the different nodes of the model. Trending data and rulesregarding indications of possible cyberattacks can also be modeled forprognostics.

Because limited public data repositories exist for predictivemaintenance for the deep learning of a data-driven model, the sensordata from C-MAPSS is leveraged. The sensor data meets the requirementsof a suitable system model that allows input variations ofhealth-related parameters and recording the resulting output sensormeasurements.

The graphical Bayesian network model is a physics-informed mode forrepresenting knowledge about uncertainties. It is based on the Bayesianapproach of probability and statistics, which takes into account priorbelief and uses probability inference to update belief based on observedevidence. The graphical Bayesian network model includes direct acyclicgraphs that contain nodes representing hypotheses or states, arcsrepresenting direct dependency relationships among the hypotheses, andconditional probabilities that encode the inferential force of thedependency relationship.

C-MAPSS produces a total of 21 different sensor outputs. Of these 21outputs, only selected first level sensor components are monitored by acontrol logic as the input sensors in the graphical Bayesian network:N₁, N₂, P₂₀, T₂₀, T₂₄, P_(s30), T₄₈, T₅₀, and P₅₀. These sensors formfundamental information states of the graphical Bayesian network model.

The graphical Bayesian network model is developed for cyberattackcondition-symptom analysis to assist in the detection of the FDIAs onsystem sensor readings. The graphical Bayesian network model focuses onmajor engine components of a compressor and a turbine engine. Theeffects of various faults on engine component degradation are reflectedin flow capacity and isentropic efficiency. Two common causes ofdeterioration chosen to model here are erosion and fouling. Generally,the compressor fouling and erosion decrease both air flow and turbineefficiency. But the compressor erosion causes an increase in flowcapacity. These effects are detected by changes in temperature andpressures as shown in the h-s diagram. The flow is proportional to thesquare root of the temperature over the pressure, and the efficiency isthe ratio of the affected flow to the undeteriorated flow.

The graphical Bayesian network model of the engine shown in FIG. 11 andFIG. 12 has two states: a normal state and a fault/attack state. Twoprimary components are represented by the nodes “LPC_Status” and“HPT_Status”. The components have four states: a normal operation state,a blade fouling state, a blade erosion state, and a cyberattack state.The measurements associated with the two components include atemperature, a pressure, and an associated shaft speed. The conditionalprobability tables associated with each measurement node reflectsthat: 1) the fouling causes an increase in the temperature, thepressure, and the shaft speed; 2) the erosion causes a decrease in thetemperature, the pressure, and the shaft speed; and 3) an increase inone reading and a decrease in another are inconsistent and indicate apotential cyberattack.

For example, as shown in FIG. 12 , the low fan speed, the high T₂₄, andthe low P₂₄ are inconsistent with expected system behavior, whichresults in an increased probability of a cyberattack (e.g., about 89%).About 89% is much greater than a normal probability of about 2.2% forthe expected readings of an engine suffering from compressor fouling, asshown in FIG. 11 . In the case shown in FIG. 11, the engine has a highprobability of normal functioning even though there are out of normalreadings. In the case shown in FIG. 12 , the engine has an over 89%chance of being in the fault/attack state.

The present disclosure also provides a cyber resilience integratedsecurity inspection system (CRISIS) against the FDIAs. The CRISISsupports real-time system aware monitoring. The CRISIS cansimultaneously process the sensor data in streaming and batch processingmode and provide scalable predictive maintenance with different datavolumes and complexity. FIG. 13 depicts a structural diagramillustrating a cyber resilience integrated security inspection system(CRISIS) against the FDIAs according to various disclosed embodiments ofthe present disclosure. As shown in FIG. 13 , the CRISIS includes afront-end server and a back-end server.

In some embodiments, the CRISIS receives the sensor data from differenttypes of assets. Each asset may contain several subsystems. In order toprovide predictive maintenance on a fleet level, multiple models withsimilar structures but different parameters are constructed andimplemented at the same time. Ongoing maintenance activities may bedynamically updated in the cyberattack knowledge base for subsequentmaintenance planning. The implementation of the CRISIS is a hybriddesign including a software-in-the-loop (SITL) module and ahardware-in-the-loop (HITL) module to support multiple tasks.

As shown in FIG. 13 , the CRISIS includes the HITL module coupling withthe data acquisition (DAQ) subsystem of the CBPM system or thecomponents. The sensor data is collected using a multichannel embeddedsensor node configured to monitor a pressure, a temperature, an angularposition, and an acceleration for a gas turbine engine. The CRISISincludes transducers to instrument the test stand and monitors bothprocess-related and dynamic responses using a lower power dataacquisition circuit. The sensor node includes a microcontroller, such asTexas Instruments' MSP432 to provide on-board signal conditioning, datastorage, signal processing, analysis, and data transmission throughwired or wireless interfaces. The sensor node may be powered by aninternal primary or rechargeable battery, an external DC power supply,or an external multi-source energy harvesting system, with acceptablesupply voltages approximately between 3.3V DC and 5.5V DC.

For example, as shown in FIG. 14 , the sensors send analog signals tothe microcontroller. The microcontroller converts and processes theanalog signals from the sensors into digital signals, and sends thedigital signals to a computer for further processing. A window of COM3shows the digital signals received by the computer. A window of FIG. 2shows the digital signals in a graphic form.

In some embodiments, as shown in FIG. 13 , the CRISIS includes thecyberattack detection model and the graphical Bayesian network modelbetween the SITL module and the HITL module. For example, a Raspberry Piis used to integrate the cyberattack detection model, the graphicalBayesian network model, and Kafka streaming for real-time dataacquisition and cyberattack detection. The simulated data will bestreamed to the front-end server (e.g., the SITL module) for GUIdisplay.

As shown in FIG. 13 , a web-based GUI is implemented to show thepredicted RUL and RUL distribution for ship engines, provide accuratedetection regarding possible cyberattack situations and defectivecomponents, and further present maintenance recommendations. Inaddition, a series of application programming interfaces (APIs) areimplemented to provide an interface to other web service systems. TheCRISIS can be standalone or integrated with other systems to provideservices via the web. This interface provides two sections for a user toview the conditions and predictive maintenance of the ship. One sectionincludes a summary table including all the ships in the maintenancedepot with an indicator indicating a current status of each ship. Theindicator indicates one of four statuses: a normal status, a recommendedmaintenance status, a failure alert—waiting maintenance status, and anin-maintenance status.

As shown in FIG. 15 , in an engine condition table management tab, theuser is able to view the conditions of all the gas turbine engines. Asthe CRISIS constantly receives the sensor data from the sensors of theCBPM system, the cyberattack detection model detects the FDIAs inreal-time, and displays compromised sensors. A predicted RUL andpotential distribution are presented based on the outputs of thecyberattack detection model and the graphical Bayesian network model.Combining the information from the sensor data and detection results,the graphical Bayesian network model computes a health condition indexfor each component of the engine and identifies potential defectivecomponents. For example, LPT is detected as under the cyberattack.

In the embodiments of the present disclosure, the cyberattack detectionmodel is used to characterize a performance state of the monitored CBPMsystem to identify and classify sources of the cyberattacks accuratelyand timely. In addition, the graphical Bayesian network model is used torepresent the dynamic nature of a component or a sub-system of the CBPMsystem, encode the domain knowledge and the condition-symptomrelationships of different plant components, and the sensors. Theanomaly patterns (e.g., the cyberattacks) are efficiently revealed bythe corresponding sensor readings and trends. Further, the hybridimplementation with the SITL mode and the HITL module for thecyberattack detection system accurately detects the cyberattackpatterns, predicts the effects of the cyberattacks on the RULestimation, and identifies the potential defective components, therebyimproving cyber resilience of the CBPM system.

The present disclosure also provides a cyberattack detection system fordetecting FDIAs. FIG. 16 depicts a structural block diagram illustratinga cyberattack detection system according to various disclosedembodiments of the present disclosure. As shown in FIG. 16 , thecyberattack detection system includes a display screen 1601, a processor1602, a memory 1603, and a data interface 1604.

The display screen 1601 may be a liquid crystal display (LCD) or anorganic light-emitting diode (OLED) display. The display screen may alsobe a touch screen. The processor 1602 may be a central processing unit(CPU). The processor 1602 may also include a hardware chip. The hardwarechip may be an application-specific integrated circuit (ASIC), aprogrammable logic device (PLD), or a combination thereof. For example,the PLD may be a complex programmable logic device (CPLD), afield-programmable gate array (FPGA), or a combination thereof. Thememory 1603 may include a volatile memory. The memory 1603 may alsoinclude a non-volatile memory. The memory 1603 may also include acombination of the foregoing types of memories. The data interface 604may include a keyboard, a mouse, a USB interface, and a communicationinterface. A user may use the keyboard, the mouse, and the USB interfaceto input the wafer image and the defect information.

In some embodiments, the memory 1603 stores program instructions. Whenthe program instructions are executed, the processor 1602 calls theprogram instructions stored in the memory 1603 to perform: collectingsensor data from the sensors to extract features for a cyberattackdetection model and gathering historical data of the system to build acyberattack knowledge base about the system; combining the sensor dataand the historical data to train the cyberattack detection model; usinga graphical Bayesian network model to capture domain knowledge andcondition-symptom relationships between the sensor-monitored componentsand the sensors; and based on the cyberattack detection model and theBayesian network model, detecting false data injection attacks (FDIAs)on the CBPM system.

In some embodiments, the system maintained by the CBPM system includes anavy ship or a submarine, and the components of the system include atleast a compressor and a turbine engine.

In some embodiments, the sensor data includes readings of one or more ofan accelerometer, a strain gauge, and a thermometer, and the historicaldata is unstructured text data including one or more of a systemoperator log, hardware information, and software information.

In some embodiments, when gathering the historical data of the system tobuild the cyberattack knowledge base about the system, the processor1602 is further configured to perform natural language processing toconvert the unstructured text data into concepts and relationships tobuild the cyberattack knowledge base about the system.

In some embodiments, the cyberattack detection model includes a longshort-term memory (LSTM) model or a gated recurrent unit (GRU) model.

In some embodiments, the processor 1602 is further configured to:separately train one cyberattack detection model for each sensor usingthe sensor data from the corresponding sensor, and determine whichsensor is attacked based on the separately trained cyberattack detectionmodel.

In some embodiments, the domain knowledge includes technical manuals andmathematical engine models that describe the components of the system,how the components are connected, which characteristics of the systemare measured by the sensors; and how the system works. The domainknowledge provides a topological structure for the graphical Bayesiannetwork model. The condition-symptom relationships determine the weightsof links between nodes of the graphical Bayesian network model.

In some embodiments, the processor 1602 is further configured tointegrate with the CBPM system to display each sensor being attacked bythe FDIAs, detect global navigation satellite system (GNSS) andautomatic identification system (AIS) spoofing, detect channel accessattacks on the CBPM system, and predict the effect of the FDIAs onremaining useful life (RUL) of the system and make maintenancerecommendation.

In the embodiments of the present disclosure, the cyberattack detectionmodel is used to characterize a performance state of the monitored CBPMsystem to identify and classify sources of the cyberattacks accuratelyand timely. In addition, the graphical Bayesian network model is used torepresent the dynamic nature of a component or a sub-system of the CBPMsystem, encode the domain knowledge and the condition-symptomrelationships of different plant components and the sensors. The anomalypatterns (e.g., the cyberattacks) are efficiently revealed by thecorresponding sensor readings and trends. Further, the hybridimplementation with the SITL mode and the HITL module for thecyberattack detection system accurately detects the cyberattackpatterns, predicts the effects of the cyberattacks on the RULestimation, and identifies the potential defective components, therebyimproving the cyber resilience of the CBPM system.

The present disclosure also provides a computer-readable storage medium.The computer-readable storage medium stores a computer program. Whenbeing executed by a processor, the computer program implements theembodiments of the cyberattack detection method shown in FIG. 2 . Thedescription thereof is omitted.

The computer-readable storage medium may be an internal storage unit ofthe device described in any of the foregoing embodiments. For example,the computer-readable storage medium may be a hard disk or an internalmemory of the device. The computer-readable storage medium may also bean external storage device of the device, such as a plug-in hard disk, asmart media card (SMC), a secure digital (SD) card, a flash card, etc.Further, the computer-readable storage medium may also include aninternal storage unit and an external storage device. Thecomputer-readable storage medium may also store the computer program,and other programs and data required by the device. Thecomputer-readable storage medium may also temporarily store alreadyoutputted data or to-be-outputted data.

Those skilled in the art should understand that all or part of theprocesses in the foregoing method embodiments can be implemented byinstructing relevant hardware through a computer program. The computerprogram may be stored in the computer-readable storage medium, and whenbeing executed, the computer program implements the processes of theforegoing method embodiments. The storage medium may be a magnetic disk,an optical disk, a read-only memory (ROM), or a random-access memory(RAM).

Other embodiments of the disclosure will be apparent to those skilled inthe art from consideration of the specification and practice of thedisclosure disclosed herein. It is intended that the specification andexamples be considered as exemplary only, with a true scope and spiritof the disclosure being indicated by the following claims.

What is claimed is:
 1. A method for detecting false data injectionattacks (FDIAs) on a condition-based predictive maintenance (CBPM)system, comprising: collecting sensor data from sensors monitoringcomponents of a system maintained by the CBPM system to extract featuresfor a cyberattack detection model and gathering historical data of thesystem to build a cyberattack knowledge base about the system; combiningthe sensor data and the historical data to train the cyberattackdetection model; using a graphical Bayesian network model to capturedomain knowledge and condition-symptom relationships between thesensor-monitored components and the sensors; and based on thecyberattack detection model and the Bayesian network model, detectingthe FDIAs on the CBPM system.
 2. The method according to claim 1,wherein: the system includes a navy ship or a submarine; and thecomponents of the system include at least a compressor and a turbineengine.
 3. The method according to claim 2, wherein: the sensor dataincludes readings of one or more of an accelerometer, a strain gauge,and a thermometer; and the historical data is unstructured text dataincluding one or more of a system operator log, hardware information,and software information.
 4. The method according to claim 3, whereingathering the historical data of the system to build the cyberattackknowledge base about the system includes: performing natural languageprocessing to convert the unstructured text data into concepts andrelationships to build the cyberattack knowledge base about the system.5. The method according to claim 1, wherein: the cyberattack detectionmodel includes a long short-term memory (LSTM) model or a gatedrecurrent unit (GRU) model.
 6. The method according to claim 1, furthercomprising: separately training one cyberattack detection model for eachsensor using the sensor data from the corresponding sensor; anddetermining which sensor is attacked based on the separately trainedcyberattack detection model.
 7. The method according to claim 1,wherein: the domain knowledge includes technical manuals andmathematical engine models that describe the components of the system,how the components are connected, which characteristics of the systemare measured by the sensors; and how the system works; the domainknowledge provides a topological structure for the graphical Bayesiannetwork model; and the condition-symptom relationships determine weightsof links between nodes of the graphical Bayesian network model.
 8. Themethod according to claim 1, further comprising: integrating with theCBPM system to display each sensor being attacked by the FDIAs, detectglobal navigation satellite system (GNSS) and automatic identificationsystem (AIS) spoofing, detect channel access attacks on the CBPM system,and predict effect of the FDIAs on remaining useful life (RUL) of thesystem and make maintenance recommendation.
 9. A cyberattack detectionsystem, comprising: sensors monitoring components of a system maintainedby a condition-based predictive maintenance (CBPM) system; a memorystoring computer programs; and a processor configured to execute thecomputer programs to: collect sensor data from the sensors to extractfeatures for a cyberattack detection model and gather historical data ofthe system to build a cyberattack knowledge base about the system;combine the sensor data and the historical data to train the cyberattackdetection model; use a graphical Bayesian network model to capturedomain knowledge and condition-symptom relationships between thesensor-monitored components and the sensors; and based on thecyberattack detection model and the Bayesian network model, detect falsedata injection attacks (FDIAs) on the CBPM system.
 10. The cyberattackdetection system according to claim 9, wherein: the system includes anavy ship or a submarine; and the components of the system include atleast a compressor and a turbine engine.
 11. The cyberattack detectionsystem according to claim 10, wherein: the sensor data includes readingsof one or more of an accelerometer, a strain gauge, and a thermometer;and the historical data is unstructured text data including one or moreof a system operator log, hardware information, and softwareinformation.
 12. The cyberattack detection system according to claim 11,wherein when gathering the historical data of the system to build thecyberattack knowledge base about the system, the processor is furtherconfigured to: perform natural language processing to convert theunstructured text data into concepts and relationships to build thecyberattack knowledge base about the system.
 13. The cyberattackdetection system according to claim 9, wherein: the cyberattackdetection model includes a long short-term memory (LSTM) model or agated recurrent unit (GRU) model.
 14. The cyberattack detection systemaccording to claim 9, wherein the processor is further configured to:separately train one cyberattack detection model for each sensor usingthe sensor data from the corresponding sensor; and determine whichsensor is attacked based on the separately trained cyberattack detectionmodel.
 15. The cyberattack detection system according to claim 9,wherein: the domain knowledge includes technical manuals andmathematical engine models that describe the components of the system,how the components are connected, which characteristics of the systemare measured by the sensors; and how the system works; the domainknowledge provides a topological structure for the graphical Bayesiannetwork model; and the condition-symptom relationships determine weightsof links between nodes of the graphical Bayesian network model.
 16. Thecyberattack detection system according to claim 9, wherein the processoris further configured to: integrate with the CBPM system to display eachsensor being attacked by the FDIAs, detect global navigation satellitesystem (GNSS) and automatic identification system (AIS) spoofing, detectchannel access attacks on the CBPM system, and predict effect of theFDIAs on remaining useful life (RUL) of the system and make maintenancerecommendation.
 17. A computer-readable storage medium storing acomputer program for detecting false data injection attacks (FDIAs) on acondition-based predictive maintenance (CBPM) system, the computerprogram performing: collecting sensor data from sensors monitoringcomponents of a system maintained by the CBPM system to extract featuresfor a cyberattack detection model and gathering historical data of thesystem to build a cyberattack knowledge base about the system; combiningthe sensor data and the historical data to train the cyberattackdetection model; using a graphical Bayesian network model to capturedomain knowledge and condition-symptom relationships between thesensor-monitored components and the sensors; and based on thecyberattack detection model and the Bayesian network model, detectingthe FDIAs on the CBPM system.
 18. The computer-readable storage mediumaccording to claim 17, wherein: the system includes a navy ship or asubmarine; and the components of the system include at least acompressor and a turbine engine.
 19. The computer-readable storagemedium according to claim 18, wherein: the sensor data includes readingsof one or more of an accelerometer, a strain gauge, and a thermometer;and the historical data is unstructured text data including one or moreof a system operator log, hardware information, and softwareinformation.
 20. The computer-readable storage medium according to claim19, wherein gathering the historical data of the system to build thecyberattack knowledge base about the system includes: performing naturallanguage processing to convert the unstructured text data into conceptsand relationships to build the cyberattack knowledge base about thesystem.